[pull] master from tinyproxy:master#18
Open
pull[bot] wants to merge 57 commits intohttpsgithu:masterfrom
Open
Conversation
as suggested in #212, it seems the majority of people don't understand that input was expected to be in regex format and people were using filter lists containing plain hostnames, e.g. `www.google.com`. apart from that, using fnmatch() for matching is actually a lot less computationally expensive and allows to use big blacklists without incurring a huge performance hit. the config file now understands a new option `FilterType` which can be one of `bre`, `ere` and `fnmatch`. The `FilterExtended` option was deprecated in favor of it. It still works, but will be removed in the release after the next.
read_request_line() is exercised on the client's fd, and it fails when the client closed the connection. therefore it's wrong to send an error message to the client in this situation. additionally, the error message states that the server closed the connection. might fix #383
also, don't use fopen(NULL) if usage of errorfiles is not configured.
while at it, the function doing it was renamed from the misleading ssl name to what it actually does. also inlined the strings that were previously defined as macros. addressing #152
it's not possible to use a https url in a ReversePath directive, without removing the security provided by https, and would require adding a dependency on a TLS library like openssl and a lot of code complexity to fetch the requested resource via https and relay it back to the client. in case the reversepath directive kicked in, but the protocol wasn't recognized, and support for transparent proxying built-in, the code wrongfully tried to turn the request into a trans request, leading to a bogus rewritten url like http://localhost:8888https://www.endpoint.com and an error message that we're trying to connect to the machine the proxy runs on. now instead use the generic code that signals an invalid protocol/url was used. closes #419
the existing text was sort of misleading as it was written in a pre-HTTPS era. addressing #475
closes #487
* Added support to configure IPv6 upstream proxy servers using bracket syntax. * Added regular expression for IPv6 scope identifier to re for IPv6 address.
…493) * tinyproxy.conf.5: document config strings that require double quotes String config values matched by the STR regex must be enclosed in double quotes Edit descriptions for brevity conf.c: move boolean arguments comment before BOOL group addresses #491 * Revert conf.c: move boolean arguments comment before BOOL group
since accept() uses the socklen parameter as in/out, after processing an IPv4 the socklen fed to it waiting for the next client was only the length of sockaddr_in, so if a connection from an IPv6 came in the client sockaddr was only partially filled in. this caused wrongly printed ipv6 addresses in log, and failure to match them correctly against the acl. closes #495
Co-authored-by: Victor Kislov <victork@primis.tech>
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1889 this bug was brought to my attention today by the debian tinyproxy package maintainer. the above link states that the issue was known since last year and that maintainers have been contacted, but if that is even true then it probably was done via a private email to a potentially outdated email address of one of the maintainers, not through the channels described clearly on the tinyproxy homepage: > Feel free to report a new bug or suggest features via github issues. > Tinyproxy developers hang out in #tinyproxy on irc.libera.chat. no github issue was filed, and nobody mentioned a vulnerability on the mentioned IRC chat. if the issue had been reported on github or IRC, the bug would have been fixed within a day.
given the catastrophic way TALOS Intelligence "communicated" with upstream (i.e. by probably sending a single mail to an unused email address), it's probably best to explicitly document how to approach upstream when a security issue is discovered.
github continues to deprecate actions and idioms in their CI system. hopefully these changes will last for a while and maintaining a simple CI task doesn't turn into a neverending story.
Omit the version number from headers, HTML responses, and templates
makes BasicAuth realm string editable in config file. closes #235
fixes warning about implicit function declaration which is by default treated as an error starting with GCC14. closes #560
if tinyproxy serves as a HTTP server (i.e. when serving stats), use error code 401, else error code 407. fixes #532
it turned out that a hashmap isn't the right datastructure, as the special-case header Set-Cookie not only can, but is even heavily recommended to be used multiple times. we now use a dumb list as a key-value store for this purpose, but restrict it to max 256 entries so the linear search can always be completed in reasonable time in case of an attack. closes #403
The following error types are addressed: https://www.shellcheck.net/wiki/SC2164 -- Use 'cd ... || exit' or 'cd ... || return' in case cd fails. https://www.shellcheck.net/wiki/SC2086 -- Double quote to prevent globbing and word splitting. https://www.shellcheck.net/wiki/SC2006 -- Use $(...) notation instead of legacy backticks `...`. Signed-off-by: Michael Adam <obnox@samba.org>
This fixes several instances of the following shellcheck issues: https://www.shellcheck.net/wiki/SC2046 -- Quote this to prevent word splitting. https://shellcheck.net/wiki/SC3037 (warning): In POSIX sh, echo flags are undefined. https://shellchelleck.net/wiki/SC2268 (style): Avoid x-prefix in comparisons as it no longer serves a purpose. https://shellcheck.net/wiki/SC2009 (info): Consider using pgrep instead of grepping ps output. https://shellcheck.net/wiki/SC3028 (warning): In POSIX sh, SECONDS is undefined. SC2059 (info): Don't use variables in the printf format string COUNT appears unused. Verify use (or export if used externally). https://shellcheck.net/wiki/SC2162 (info): read without -r will mangle backslashes. https://shellcheck.net/wiki/SC2034 (warning): READ appears unused. Verify use (or export if used externally). https://shellcheck.net/wiki/SC2317 (info): Command appears to be unreachable. Check usage (or ignore if invoked indirectly). https://shellcheck.net/wiki/SC2086 (info): Double quote to prevent globbing and word splitting. Signed-off-by: Michael Adam <obnox@samba.org> tests: fix syntax errors in run_tests.sh Signed-off-by: Michael Adam <obnox@samba.org>
This fixes instances of: https://shellcheck.net/wiki/SC2086 (info): Double quote to prevent globbing and word splitting. https://shellcheck.net/wiki/SC2034 (warning): BASEDIR appears unused. Signed-off-by: Michael Adam <obnox@samba.org>
This can be used to lint shell scripts for syntactic correctness and style. It requires shellcheck to be installed on the host. Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
due to the use of an invalid macro HAVE_VSYSLOG_H (a corresponding header doesn't exist on POSIX libcs, plus there was no configure check setting it), the code here was never compiled in, and the portable fallback was always used. since the fallback is already there and known to work as intended, just use it always. closes #574
the function isn't used anywhere in the current codebase, so don't waste user's time checking for it.
regression from 942d0c6
the script always returned 1.11.0-rc1, because apparently that tag was annotated, unlike the newer ones.
this could lead to a DoS when a legitimate client reads from an attacker-controlled web server. closes #597
due to some ancient piece of code that's supposed to fix a bug in 1990's internet explorer, sockets were switched between blocking and non-blocking mode, making it hard to differentiate when socket timeouts kicked in. with the IE bug workaround removed, sockets are now always in blocking mode so we no longer need to catch EAGAIN/EWOULDBLOCK and treat them specially, they are now always treated as an error (whenever they are returned, the timeout kicked in). this should fix once and for all the cases where tinyproxy would not respect the user-provided socket timeouts, potentially causing endless loops. closes #598
the chunked transfer encoding needs to be matched in a case- insensitive manner. closes #604
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
14 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot]
Can you help keep this open source service alive? 💖 Please sponsor : )